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Abstract — This paper describes liow to determine the param- 
eter values of the chaotic Lorenz system used in a two-channel 
cryptosystem. The geometrical properties of the Lorenz system 
are used firstly to reduce the parameter search space, then the 
parameters are exactly determined, directly from the ciphertext, 
through the minimization of the average jamming noise power 
created by the encryption process. 

Index Terms — Chaos, cryptography, cryptanalysis, nonlinear 
systems, security of data, Lorenz system. 

I. Introduction 

IN recent years, a growing number of cryptosystems based 
on chaos synchronization have been proposed [1], many 
of them fundamentally flawed by a lack of robustness and 
security. 

The first schemes of synchronization-related chaotic cryp- 
tography were based on the masking of a plaintext message by 
a system variable of a chaotic generator [2]-[4]. The receiver 
had to synchronize with the sender to regenerate the chaotic 
signal and thus recover the message. This simple design is 
easily broken by elemental filtering of the ciphertext signal 
'■ [5]-[7]. 

Recently, there appeared some chaotic cryptosystems with 

■ an enhanced plaintext concealment mechanism; the ciphertext 
I consisted of a complicated non-linear combination of the 

■ plaintext and a variable of a chaotic transmitter generator, from 
I which it was an unattainable goal to retrieve a clean plaintext. 

As it was impossible to synchronize a chaotic receiver with 
such ciphertext, a second channel was used for synchroniza- 
1 tion. The synchronizing signal was a different sender chaotic 
variable, that was transmitted without modification. The same 
system parameters values were used at sender and receiver 
[8H10]. 

One of these cryptosystems, proposed by Jiang [8], made 
use of the Lorenz chaotic system [13], that is defined by the 
following equations: 

X ^(j{y- x), 

y = px - y - xz, (1) 

z = xy — (3z, 
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where cr, p and 13 are fixed parameters. 
The ciphertext s was defined as 

s ^ fi{x,y,z) + f2{x,y,z)m, (2) 

where m is the plaintext. 

The receiver was designed as a reduced order nonlinear 
observer with a mechanism to achieve efficient partial synchro- 
nization, under the drive of x{t). It can generate two signals 
yr{t) and Zr{t) that converge to the driver system variables 
y{t) and z{t), respectively, as t ^ oo. 

The recovered plaintext m*{t) was retrieved with the func- 
tion: 

S fi{x,yr,Zr) 
h[X,yr,Zr) f2(X,yr,Zr) 

It was given an example in [8, §111] with the following 
functions: fi{x,y,z) = y^ and f2{x,y,z) = 1 + y^; the 
following parameter values: cr = 10, p = 28 and j3 — 8/3; 
and with the following initial conditions: (a;(0), 2/(0), z{Q)) = 
(0, 0.01, 0.01) and (j/^(0), z^(0)) = (0.05, 0.05). The plain- 
text was a small amplitude sinusoidal signal of 30 Hz, m(t) = 
0.05 sin(27r30i). The author claimed that this cryptosystem 
guarantees higher security and privacy, showing that an error 
of 0.05 in the retrieval of yr, due to a poor parameter 
estimation, giving rise to a serious distortion in the retrieved 
plaintext. 

In the vast majority of chaotic cryptosystems, the security 
relies on the secrecy of the system parameters, which play the 
role of secret key. Hence, the determination of the system 
parameters is equivalent to breaking the system. Recently, 
Solak [11] analyzed the cryptosystem [8] and showed how 
an eavesdropper could identify the value of the parameter p, 
provided that it has the previous knowledge of the two other 
transmitter system parameters (3 and a. Solak's approach was 
based on a novel expression of the Lorenz system. Formerly 
Stojanovski, Kocarev and Parlitz [12] described a generic 
method, to reveal simultaneously all the three parameters of 
a Lorenz system when one of the the variables x{t) or y{t) 
were known, that could be applied to break this cryptosystem. 

The present work describes an efficient determination 
method of the only two unknown parameters p and j3 needed 
to build up an intruder Lorenz system receiver, from the 
ciphertext alone, without partial knowledge of any transmitter 
parameters. Firstly, some geometrical properties of the Lorenz 
attractor are shown. Then, advantage is taken of them to 
minimize, as much as possible, the parameters search space. 
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Fig. 2. Equilibrium points estimation relative error, when taking the 
eye center coordinate x'^± instead of the true value of Xq± . 




Fig. 1 . Lorenz chaotic attractor; (a) x — y plane projection; (b) enlarged view, 
showing the incoming trajectoiies portion attracted by the equihbrium point 
C+ , the flow direction is indicated by arrows. The position of the equilibrium 
points C+ and C~ is indicated by asterisks. 



Finally, the unknown receiver parameters are determined with 
high accuracy. 

II. The Lorenz attractor' s geometrical 

PROPERTIES 

According to [13], the Lorenz system has three equilibrium 
points. The origin is an equilibrium point for all parameter 
values; for < p < 1 the origin is a globally attracting 
asymptotically stable sink; for 1 < p < pn the origin 
becomes a non-stable saddle point, giving rise to two other 
stable twin equilibrium points C+ and C~, of coordinates 
xc± = ±x/f3{p- 1), yc± = ±^/f3{p-l) and zc± = p-l, 
being pH a critical value, corresponding to a Hopf bifurcation 
[14], whose value is: 

(a + /3 + 3) 



PH 



{<j-p-l) 



(4) 



When p exceeds the critical value p^ the equilibrium 
points C+ and become non-stable saddle foci, by a Hopf 
bifurcation, and the strange Lorenz attractor appears. The 
flow, linearized around (7+ and C~, has one negative real 
eigenvalue and a complex conjugate pair of eigenvalues with 
positive real part. As a consequence, the equilibrium points 
are linearly attracting and spirally repelling. 

Figure [n a) shows the double scroll Lorenz attractor formed 
by the projection on the x — y plane, in the phase space, of 



a trajectory portion extending along 12 s; the parameters are 
(T = 16, p = 100 and /3 = 8/3. 

It is a well known fact that the Lorenz attractor trajectory 
draws two 3D loops, in the vicinity of the equilibrium points 
C+ and C^, with a spiral like shape of steadily growing 
amplitude, jumping from one of them to the other, at ir- 
regular intervals, in a random like manner though actually 
deterministic [13]. The trajectory may pass arbitrarily near to 
the equilibrium points, but never reach them while in chaotic 
regime. 

The geometrical properties of Lorenz system allows for 
a previous reduction of the search space of the p and /3 
parameters, taking advantage of the relation of them with the 
coordinates X(j± ~ ±y7f(p~~T) of the equilibrium points. 

Let us call attractor eyes to the two neighborhood regions 
around the equilibrium points that are not filled with the spiral 
trajectory. The eye centres are the fixed points C'^ and C~ . 

The pending problem is to determine the eye centres when 
the inner turns are missing, as happens in normal chaotic 
regime. With the drive signal x{t), we solved it by exper- 
imentally estimating the middle point value of the trajectory 
maxima and minima in the phase space projection on the x — y 
plane. The best result was obtained by taking into account only 
the regular spiral cycle closest to the center, shown in Fig.fljb) 
as a thick continuous line. The x-coordinate of the eye center 
was calculated with the following empirical formula: 

0.9 + 0.1 a;„2 + 
Xc± = 2 ' ^ 

where xmi is the minimum of all the maxima of \x{t)\ spiral 
trajectory, Xmi and Xjn2 are the two minima immediately 
preceding and following xmi, respectively. 

As the spiral has a growing radius, it was necessary to 
take a weighted mean between the two minima x^i and 
Xm2, the optimal values of the two weights were determined 
experimentally. Instead of making two computations, one 
around C+ and another around C^, a unique computation 
was done on the absolute value waveform It should 

be noted that all the first maxima after a change of sign of 
x{t) and y{t) must be discarded because they belong to the 
incoming trajectory portion attracted by the equilibrium points 
and do not belong to the spiral trajectory, one of them is 
shown in Fig. [Ttb) as a thick dashed line. 

The result is illustrated in Fig. |2] It can be seen that the 
relative value of the error, taking the eye center coordinate 
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20 25 30 35 Hz 



Fig. 3. Logarithmic power spectrum of tlie retrieved plaintext with a wrong 
guessing of response system parameters. 



a;^± instead of the true value of xc± , is less than 2x10 ^. The 
system parameters were varied in the margins: a G (9.7, 37.4), 
p € (25.6,94.8) and f3 € (2.6,8.4). The system initial 
conditions were the same as the example of [8, §111]; the period 
of measurement was 20 s and the sampling frequency was 
1200 Hz. 

In this way, the search space of the unknown parameters /3 
and p is reduced to a narrow margin defined as (3*{p* — 1) G 
{0.996 .T^i, 1.004 ar^i}. 

Applying this method to the proposed example of [8, 
§111], whose equilibrium point is X(j± = \/72, the absolute 
determination error of x'^± was 7.5 x 10^*^, equivalent to a 
relative error of 0.0089% . 
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Fig. 4. Logarithmic representation of the mean of the recovered text noise 
power e'^, for several values of x*^. 



response systems are equal, hence the recovered text m*{t) 
follows the plaintext m{t) exactly; being negligible the effect 
of different initial conditions after a very short transient. If 
the parameters of both systems do not agree, the recovered 
text will consist of a noisy distorted version of the original 
plaintext, growing the noise and distortion as the mismatch 
between drive and response systems parameters grows. 



III. Breaking of the proposed encryption system a. Parameter determination 



We designed an intruder receiver based on a homogeneous 
driving synchronization mechanism [15] between the trans- 
mitter drive Lorenz system and a receiver response subsystem, 
that was a partial duplicate of the drive system reduced to only 
two variables yr{t) and Zr{t), driven by the drive variable x{t). 
The response system was defined by the following equations: 



Vr 



p X ~ yr ~ XZr 

' l3 Zip . 



(6) 



Note that for breaking the system it is only necessary to get 
the knowledge of the parameters p and (3, i.e. the parameter 
cr may be ignored and need not be determined, unlike in the 
Solak method [11] which requires its previous knowledge, or 
in the Stojanovski et all. method [12] which requires the simul- 
taneous determination of all the three unknown parameters. 

As it was shown in [15, §111], this drive-response config- 
uration has two conditional Lyapunov exponents, both fairly 
negative, thus leading to a very estable system. The conse- 
quence is that, if the parameters of drive and response systems 
are moderately different, the drive and response variables will 
be alike, though not totally identical. This property may be 
exploited to search the right parameter values looking at the 
retrieved plaintext and applying an optimization procedure to 
find the parameters that provide the best retrieved plaintext 
quality. 

When the synchronizing signal is fed to the response system 
described by Eq. ^ and the parameters of both systems agree, 
i.e. p* = p and [3* = [3, the variables y and yr of the drive an 



In the particular case of the example in [8, 
encryption and decryption functions were: 

s = y^ + (i + y^)"^, 

S Vr 



§111], the 



1 + y2 1 + y2 

Equation ([8]) of the recovered text can be rewritten as: 



1 + , y^-yf 



1 



(7) 
(8) 

(9) 

Vr -L + yr 

This equation has two terms, the first one is a function of 
the plaintext message m{t) and the variables y and yr- When 
y ^ yr the term is reduced to the undistorted plaintext, but if 
y ^ yr a distortion appears. The second term is a function of 
y and yr and can be considered as a jamming noise. Figure |3] 
depicts the spectrum of the recovered text corresponding to the 
example, but with a wrong guessing of the response system 
parameters: p* ~ 28.01 and (3* = 2.667. It can be seen that 
the spectrum has two main frequency bands: one around the 
plaintext 7Ti(t) frequency of 30 Hz, that corresponds to the 
distorted plaintext, and another near Hz that corresponds to 
the jamming noise. Assuming that the plaintext will always 
consist of an a.c. band limited signal without d.c. component, 
as in the numerical example given in [8], it is clear from Fig.|3] 
that the second term of Eq. (|9]l may be isolated from the first 
by means of a suitable filter. 

The most important band of the jamming noise e was 
isolated by means of a finite impulse response low pass 
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filter with 2048 terms and a cutoff frequency of 0.2 Hz, that 
suppressed the contribution of the plaintext m{t) and most 
of the frequency terms generated by the modulation with 
the chaotic signal y'^{t). Figure|4] illustrates the mean value 
of the squared noise e'^, i.e. the average noise power, as a 
function of p*, with the eye center a;^± as parameter, with the 
same transmitter system parameters of the numerical example 
presented in [8] and the intruder receiver described by Eq. (|6]l. 
The mean of was computed along the first 20 s, after a delay 
of 2 seconds, to let the initial transient finish. It is clearly seen 
that the noise grows monotonically with the mismatch between 
the transmitter and receiver parameters \p* — p\ and that the 
minimum error corresponds to the receiver system parameter 
p* exactly matching the transmitter system parameter p, when 
x*c± = xc± = VPiP - 1) = V72. 

The search of the correct parameter values f3* and p* is 
carried out with the following procedure: 

1) Determine the approximate value of the eye center a;^± 
as described in Section HH from the x{t) waveform. 

2) Keeping the last value of x^-t, vary the value of p* until 
a minimum of the average noise power is reached. 

3) Keeping the last value of p*, vary the value of eye center 

until a new minimum of the average noise power 
is reached. 

4) Repeat the two previous steps until a stable result of 
average noise power will be reached and retain the last 
values of p* and the ultimate ones. 

5) Calculate the value of /3* as (3* = {x*^±f/{p* - 1). 
Table I] shows the evolution of the relative eye center error, 

the relative p* parameter error and the average jamming noise 
power It can be seen that the procedure converges rapidly to 
the exact values: p* = p = 2% and xt,± = xc± = \fT2.. 



TABLE I 

Evolution of the the relative eye center error, the relative 
p* parameter error and the average jamming noise power. 



Step 


Relative eye center en'or 

{x*^^ -Xc±)/xc± 


Relative p* error 

(p* - p)Ip 


Average noise 
power 


1 


8.90 X 10"=' 






2 


8.90 X 10^5* 


-3.57 X 10-* 


5.2 X IQ-* 


3 


2.72 X IQ-** 


-3.57 X 10-** 


8.9 X 10-12 


4 


2.72 X 10"** 





6.5 X 10-13 


5 





0* 


6.1 X 10-13 


6 


0* 





6.1 X 10-13 



• = old data held from the previous step 



The value of the unknown parameter 13* was deduced from 
Eq. (|5]i with the estimated values of p* and 

(^c±)^ ^ 8 
(p--l) 3- 

Note that this method works as well for the general case 
described by Eqs. ^ and Q that have similar structure to 
Eqs. (IT) and ^ which describe the special case of the example 
in [8, §111], just selected here for experimental demonstration. 

B. Plaintext retrieving 

As the system parameters are equivalent to the system key, 
once the exact values of (3* and p* are known, the ciphertext 
can be efficiently decoded by the intruder receiver defined 
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Fig. 5. Retrieved plaintext with the ultimate values of the response system 
parameters. 



by Eq. (|6]l. Figure |5] shows the three first seconds of the 
retrieved plaintext with the response system receiver described 
by Eq. (|6]l, corresponding to the ciphertext example of [8, §111]. 
It can be seen that the plaintext is perfectly recovered after a 
short transient period of less than one second. 

IV. Simulations 

All results were based on simulations with MATLAB 7.1, 
the Lorenz integration algorithm was a four-fifth order Runge- 
Kutta with an absolute error tolerance of 10"^, and a relative 
error tolerance of 10^^. 

V. Conclusions 

A simple method was proposed to reduce the parameter 
search space of the Lorenz system, based on the determination 
of the system equilibrium points from the waveform analysis 
of one of its variables x{t). Then the method was applied to the 
cryptanalysis of the cryptosystem [8], showing that it is rather 
weak since it can be broken without knowing its parameter 
values. The total lack of security discourages the use of this 
algorithm for secure applications. 

This work was supported by Ministerio de Ciencia y Tec- 
nologia of Spain, research grant SEG2004-02418, and by The 
Hong Kong Polytechnic University's Postdoctoral Fellowships 
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